b'Audit Report, \xe2\x80\x9cSecurity of [a NASA Center\xe2\x80\x99s Computer] Network\xe2\x80\x9d (IG-06-008, June 2,\n2006)\n\nThe NASA Office of Inspector General conducted an audit to determine whether [a\nNASA Center] had implemented adequate information technology security controls to\nprovide reasonable assurance of network security to protect NASA data and systems\nagainst possible compromise.\n\nThe NASA Center\xe2\x80\x99s controls did not provide reasonable assurance of network security.\nSpecifically, system administrators did not (1) periodically review critical firewall audit\nlogs and modems used to protect the computer network; (2) monitor for the use of files\nand commands with security risks; (3) consistently perform system backups; and (4) meet\nNASA requirements for storing backup media. System administrators also accessed a\nkey server containing security information without adequate encryption and did not\nremove unnecessary services from the network. Further, software patches were not\ntimely installed to fix security weaknesses in the network servers and vulnerabilities\nfound during security scans of the systems were not corrected in a timely manner.\nFinally, NASA did not have a formal policy for laptops or other electronic devices used\nby foreign nationals visiting the NASA Center or working onsite. Weaknesses in these\nareas could lead to the compromise of the computer network.\n\nWe recommended that the NASA Center take actions to improve security controls over\nthe network, to include developing, implementing, and enforcing procedures and controls\nover auditing and monitoring, the use of software and unnecessary services, the\ninstallation of patches, and system backups. We also recommended that the Center\ndevelop and implement a formal policy to prohibit foreign nationals\xe2\x80\x99 onsite use of their\nown laptops and other electronic devices.\n\nNASA concurred with 9 of our 13 recommendations and had taken or planned corrective\nactions to improve security controls over the computer network. We considered\nmanagement\xe2\x80\x99s actions to be responsive to eight of those nine recommendations. Of the\neight, we closed four recommendations and considered four resolved but open pending\nverification of the proposed actions. In addition, of the four recommendations with\nwhich management nonconcurred, we considered the proposed corrective actions for\nthree to be responsive and have closed those recommendations.\n\nWe did not consider management\xe2\x80\x99s comments on two recommendations to be responsive\nand requested additional comments in response to the final report.\n\nThe report contains NASA Information Technology/Internal Systems Data that is not\nroutinely released under the Freedom of Information Act (FOIA). To submit a FOIA\nrequest, see the online guide.\n\x0c'